OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] CTI TC Adoption and Interoperability SCs

I feel like the profile conversation does not get well served by trying to use it to discuss it as a "maturity scale" - they are not really the same thing. CybOX*, STIX and TAXII are very robust protocols that have *a lot* of optional information, and not all of that information is relevant to all consumers or producers of STIX. Just because a product only supports a given profile does not mean that product is not mature... the information in other profiles may not be in any way relevant to that product class, and the product class will likely never support any more as a result.

This is why profiles are so important, because in order for products to inter-operate using these protocols, people using them need to "know what to expect" when they connect the products.

* As well, trying to call out the importance of CybOX in the profile conversation, simply because I don't see it mentioned much in these emails... the CybOX objects supported is a critical component of any profile in my opinion. I foresee a lot of consumer products not being able to support the full set of all possible CybOX objects and their operators.

Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for Mark Clancy ---2015/07/09 01:38:42 PM---Maybe the context that would be helpful to add is what does tMark Clancy ---2015/07/09 01:38:42 PM---Maybe the context that would be helpful to add is what does the thing implementing TAXII\STIX\Cybox

From: Mark Clancy <mclancy@soltra.com>
To: Terry MacDonald <terry.macdonald@threatloop.com>, Eric Burger <Eric.Burger@georgetown.edu>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 2015/07/09 01:38 PM
Subject: Re: [cti] CTI TC Adoption and Interoperability SCs
Sent by: <cti@lists.oasis-open.org>

Maybe the context that would be helpful to add is what does the thing implementing TAXII\STIX\Cybox actually do?
Does it consume specific data, does it publish specific data, or does it aggregate/link all data ?

The STIX profile attempted to address this with kind of saying. “Hey this is what I actually support”. If I am a CTI producer focusing on one thing like say DDoS attacks that narrow subset of Stix and Cybox objects defined in the profile may well be the maximum content I would every produce anyway so having a maturity of "X" is the max that I could ever be and similarly if I was a defensive tool that re-directed access to evil web sites support cybox object with Windows Registry keys are fairly irrelevant. On the other hand if I am sharing hub/aggregation portal or a SIEM those same levels of support in the STIX profile are way below what a customer of that platform would expect. Those should not get treated in the same way on a maturity curve.

The downside of a "maturity scale" is that it can be viewed as penalizing specialty services/tools that don't need every widget to have maximum effectiveness for what they do where as you kind of want to point out that another platform is less mature as it left a lot of capability on the table with their implementation and therefore have sub-optimal effectiveness given what it could be doing to feel that pressure.

So what the heck should we do?

We need to put life into the STIX profiles.
We need to figure out a way to differentiate STIX profiles where the maximum needed to do the purpose has been achieved and where things are left on the table.

For the buyer of a solution this is the critical difference and if we can’t express that difference some how that in my experience tend to lay blame (in the mind of the buyer) with the standards not the implementation by their suppliers.


Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile | +44 7823 626 535 UK mobile
mclancy@soltra.com | soltra.com

One organization's incident becomes everyone's defense.

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@threatloop.com>
Wednesday, July 8, 2015 8:26 PM
Eric Burger
Re: [cti] CTI TC Adoption and Interoperability SCs

Yes, well stated Pat. I especially like the notion of describing what you need and nothing more.


Terry MacDonald
| STIX, TAXII, CybOX Consultant

M: +61-407-203-026
E: terry.macdonald@threatloop.com
W: www.threatloop.com

Disclaimer: The opinions expressed within this email do not represent the sentiment of any other party except my own. My views do not necessarily reflect those of my employers.

On 9 July 2015 at 03:45, Eric Burger <Eric.Burger@georgetown.edu> wrote:

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]